April 04, 2019
Suggested Preventative Measures:
- Inventory all systems in your environment and know what data you possess, the type of data it is (e.g. PII, PCI, PHI), and where it is stored.
- Update your systems with the most current technologies, timely update all patches and update antivirus on endpoints and servers and set them to automatically conduct regular scans.
- Ensure critical systems and files have up-to-date backups.
- Have both an Incident Response Plan and a Security Compliance Plan.
- Conduct an audit of all high-risk vendor agreements to ensure your interests are adequately protected.
- Frequently train employees how to identify phishing and spear-phishing emails and follow the principle of least privilege, that is, do not give employees access to data they do not need.
- Practice and enforce good password hygiene with your employees.
- Utilize the expertise of a reputable Data Security Services provider!
The Evolving World of Cyber Insurance:
The cyber insurance industry is still finding its footing in this new age of cyber attacks. Nonetheless, there are many different types of insurance coverages a business can obtain to protect itself, such as:
- Forensic and Legal Services Costs Coverage
- Regulatory Costs Coverage
- Crisis Management/Public Relations/Notice Costs Coverage
- Computer Extortion Coverage
- Business Interruption Coverage
- Data Recovery Coverage
- Ransomware Coverage
- Social Engineering Coverage
- Telecommunications Coverage
- Credit Monitoring Costs Coverage
- Media/Content Liability Coverage
- Privacy Liability Coverage
But…Beware of Policy Loopholes:
If you elect to purchase cyber insurance for your business, read the policies carefully. Some examples of policy loopholes include:
- An exception may apply to any named insured if a current or former partner, officer, or director of such named insured committed, acquiesced or participated in the actions that gave rise to a claim.
- Certain coverages may require other coverages also be purchased, for example, Ransomware coverage may have to be purchased in conjunction with Computer System Extortion coverage.
- Look for requirements in the policy that call for subjective standards such as “good faith reliance.”
- The policy may not apply with respect to any government-ordered seizure or destruction: seizure, confiscation, nationalization or destruction of information or the computer system by order of any governmental or public authority.
If you suffer a data security breach:
- Call your attorney to represent you, including during audits and litigation.
- Notify insurance carrier of potential litigation, losses and damages.
- Based on the advice of counsel, notify the proper department and affected clients (FL Statute 501.171, generally no later than 30 days after the determination of the breach, but each state has its own requirements and if you have an affected client who resides in another state then that state’s regulations must be accounted for as well).
DISCLAIMER: This blog is for educational purposes only and does not offer nor substitute legal advice. Additionally, this blog does not establish an attorney-client relationship and is not for advertising or solicitation purposes. Any of the content contained herein shall not be used to make any decision without first consulting an attorney. The hiring of an attorney is an important decision not to be based on advertisements, or blogs. Hunter Business Law expressly disclaims any and all liability in regard to any actions, or lack thereof, based on any contents of this blog.